Hello all,
I'm having problems with joining the PhotonOS (only PhotonOS appliance, not a vcenter) to a AD domain.
The machines is running 4.0 Photon OS with all updates installed.The likewise-open and lightwave-client packages are installed
NAME="VMware Photon OS"
VERSION="4.0"
ID=photon
VERSION_ID=4.0
PRETTY_NAME="VMware Photon OS/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://vmware.github.io/photon/"
BUG_REPORT_URL="https://github.com/vmware/photon/issues"
I tried multiple work instruction - always ending with the same results:
root@pht-01 [ ~ ]# /opt/likewise/bin/domainjoin-cli setname PHT-01 && /opt/likewise/bin/domainjoin-cli join --enable hostname DOMENA.LOCAL luka
Joining to AD Domain: DOMENA.LOCAL
With Computer DNS Name: pht-01.DOMENA.LOCAL
luka@DOMENA.LOCAL's password:
Error: LW_ERROR_UNKNOWN [code 0x00009cfc]
I've tried increase the logging level - and there is no error at all. Tail of the log is following:
20220329124045:INFO:Writing krb5 file /tmp/likewisetmpTA1Y6E/etc/krb5.conf
20220329124045:INFO:File /tmp/likewisetmpTA1Y6E/etc/krb5.conf modified
20220329124045:INFO:Finishing krb5.conf configuration
20220329124046:ERROR:LW_ERROR_UNKNOWN [LW_ERROR_UNKNOWN]
No luck as well with joindomain.sh
Just to summarize all the steps, settings:
Any suggestion is very appreciated.
Thank you
Luka
Try this
modify /etc/hosts with your network setup
192.168.0.99 dc.domain.local domain
192.168.0.118 photon.domain.local photon
127.0.0.1 localhost
modify /etc/resolv.conf with your network setup. The example assumes an installed DNS server on your MS domain controller.
domain domain.local
search domain.local
nameserver 192.168.0.99
add in /etc/likewise/likewise-krb5-ad.conf the domaincontroller fqdn in default_realm
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
dns_lookup_kdc = true
default_realm = dc.domain.local
check if ldapsearch works:
ldapsearch -x -LLL -H ldap://192.168.0.99 -b "dc=domain,dc=local" -D "cn=administrator,cn=users,dc=domain,dc=local" -w "<password>"
Afterwards this should work, too.
/opt/likewise/bin/domainjoin-cli join --assumeDefaultDomain --userDomainPrefix domain dc.domain.local administrator
Setup environment:
- MS Windows Server 2016 with domain controller and DNS server role
- Photon OS 4.0 rev2 aarch64 on rpi4
tdnf update -y
tdnf install likewise-open -y
Hope this helps.
-Daniel
Hi Daniel,
I tried updating the hosts, resolv.conf and likewise-krb5-ad.conf like you suggested, but I'm still getting the same error
Error: LW_ERROR_UNKNOWN [code 0x00009cfc]
I tried to replicate the same problem on my lab (simple setup with one AD and one PhotonOS VM and everything works fine).
I would like to blame the AD infrastructure, but I'm completely blind and no idea where to start with the error not saying anything
Error: LW_ERROR_UNKNOWN [code 0x00009cfc]
and in the log - 20220405152637:ERROR:LW_ERROR_UNKNOWN [LW_ERROR_UNKNOWN]
So far I've tested everything I could imagine and everything works fine
Thank you for you help
Luka
Hi Luka,
The recipe with configuring default_realm in /etc/likewise/likewise-krb5-ad.conf and using --assumeDefaultDomain is a workaround as domainjoin-cli join on a specific ou doesn't seem to work. Hence, yes, it works in a lab setup.
I haven't found so far a working set when specifying an ou.
Afaik, the likewise open source package in Photon OS is similar to github.com/BeyondTrust/pbis-open, and that source doesn't receive further updates. The Photon OS source is here.
The vendor there www.beyondtrust.com/docs/release-notes/ad-bridge/index.htm describes enhancements in their product, and from a release notes perspective there were some domainjoin-cli bugfixes, too.
Nevertheless gathering more information in your use case might help.
get domain controller(s) information should work.
/opt/likewise/bin/lw-get-dc-list <fqdn>
ntp comparison domain time and local time should be fine.
/opt/likewise/bin/lw-get-dc-time <fqdn> && timedatectl
ldapsearch from above should work.
Display all supported SASL options. A user account with joindomain privleges should be sufficient.
ldapsearch -x -LLL supportedSASLMechanisms -H ldap://<ip/dns domain controller> -s base -D "cn=joindomuser,cn=users,dc=domain,dc=local" -w <password>
Gather information from domainjoin-cli log
/opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /var/log/domain.log join --assumeDefaultDomain --userDomainPrefix <domainshort> <fqdn domain> <username>
Parse kernel messages eg.
dmesg |grep lsassd
Imho it has nothing to do with smb. Nevertheless you could check the settings
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1
/opt/likewise/bin/lwsm restart lwio
and on the domain controller. smb1=false, smb2=true.
Get-SmbServerConfiguration | Select EnableSMB1Protocol
Get-SmbServerConfiguration | Select EnableSMB2Protocol
Some additional and helpful findings would be nice.
edited:
With a predefined default_realm, specifying an ou in/opt/likewise/bin/domainjoin-cli setname photon && /opt/likewise/bin/domainjoin-cli join --enable hostname --ou "CN=Computers,DC=domain,DC=local" domain.local joindom@domain.local seems to work though, also, for non-built-in ou's.
btw. do you use one AD or two (MS AD + Lightwave server)?
Regards,
Daniel
Thanks a lot Daniel for your help - I knew that I should not blame PhotonOS 😉
With your hint I was able to find out some mismatch in DC list that DomainControllers have and the list of DCs propagated to DNS.
With fully populated /etc/hosts file with correct records I was able to join the VM to domain.
Now it's time to fix the AD, but that's something not for me and for this forum.
Once again - thank you very much for your help! You saved me with your ideas.
Thanks for sharing.
Thanks for sharing